When Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning

Transcription

1 When Security Gets in the Way PenTesting Mobile Apps That Use Certificate Pinning Justine Osborne Alban Diquet

2 Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox Testing ios Certificate Pinning Within an ios App Intercepting the App's Traffic: MobileSubstrate Extension Android Certificate Pinning Within an Android App Intercepting the App's Traffic: Custom JDWP Debugger Conclusion

3 Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox Testing ios Certificate Pinning Within an ios App Intercepting the App's Traffic: MobileSubstrate Extension Android Certificate Pinning Within an ios App Intercepting the App's Traffic: Custom JDWP Debugger Conclusion

4 Certificate Pinning Hard- code in the client the certificate known to be used by the server Pin the server's certificate itself Takes the CA system out of the equation Pin the CA certificate used to sign the server's certificate Limit trust to certificates signed by one CA or a small set of CAs Significantly reduces the threat of a rogue CA and of CA compromise Implemented in Chrome 13 for Google services

5 Certificate Pinning in Mobile Apps Mobile is the ideal platform to implement certificate pinning A mobile App only needs to connect to a small set of servers The App's developers write the client- side code A small list of trusted CA certificates can be included in the App itself The device's trust store is completely ignored Certificate pinning is already being deployed Chrome for Android, Twitter, Cards.io

6 Mobile Blackbox Testing Some of the tester s tasks: Reversing the binary Analyzing the App's behavior at runtime (File I/O, IPC, etc...) Intercepting the App's network traffic using a proxy The tester's proxy has to masquerade as the server Requires adding the proxy's CA certificate to the device trust store This will not work if the App does certificate pinning

7 What This Presentation is About No simple solutions to defeat certificate pinning: Decompile the App's package/binary Change the certificate(s)? Patch SSL validation methods? Re- package and side- load the new binary Blackbox assessments are usually short projects Introducing new tools to make this easy: ios SSL Kill Switch Android SSL Bypass

8 Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox Testing ios Certificate Pinning Within an ios App Intercepting the App's Traffic: MobileSubstrate Extension Android Certificate Pinning Within an ios App Intercepting the App's Traffic: Custom JDWP Debugger Conclusion

9 Network Communication on ios Several APIs to do network communication on ios NSStream, CFStream, NSURLConnection Most ios Apps use NSURLConnection High level API to perform the loading of a URL request Verifies the server's certificate for https: URLs Developers can override certificate validation To disable certificate validation (for testing only!) To implement certificate pinning

10 NSURLConnection NSURLConnection has the following constructor: - (id)initwithrequest:(nsurlrequest *)request delegate:(id <NSURLConnectionDelegate>)delegate The delegate has to implement specific methods Those methods get called as the connection is progressing They define what happens during specific events Connection succeeded, connection failed, etc... Two documented ways to do custom certificate validation

11 NSURLConnectionDelegate

12 Custom Certificate Validation

13 Custom Certificate Validation

14 Jailbroken ios Development MobileSubstrate Available on jailbroken devices de facto framework that allows 3rd- party developers to provide run- time patches to system functions MobileSubstrate patches are called extensions or tweaks

15 MobileSubstrate Extension One example: WinterBoard Hooks into the SpringBoard APIs Allows users to customize their home screen

16 ios SSL Kill Switch MobileSubstrate extension that patches NSURLConnection at runtime Automatically loaded with every App on the device Hooks into the constructor for NSURLConnection: - (id)initwithrequest:(nsurlrequest *)request delegate:(id <NSURLConnectionDelegate>)delegate Replaces the delegate with a delegate proxy The delegate proxy forwards method calls to the original delegate Except calls to any method that performs custom certificate validation

17 ios SSL Kill Switch Hooking NSURLConnection s constructor #import "HookedNSURLConnectionDelegate.h" %hook NSURLConnection // Hook into NSURLConnection's constructor - (id)initwithrequest:(nsurlrequest *)request delegate:(id <NSURLConnectionDelegate>)delegate { // Create a delegate "proxy" HookedNSURLConnectionDelegate* delegateproxy; delegateproxy = [[HookedNSURLConnectionDelegate alloc] initwithoriginal: delegate]; } return %orig(request, delegateproxy); // Call the "original" constructor %end

18 ios SSL Kill Switch Forwarding method calls to the original HookedNSURLConnectionDelegate : NSObject... - (void)connection:(nsurlconnection *)connection didreceiveresponse:(nsurlresponse *)response { // Forward the call to the original delegate return [origidelegate connection:connection didreceiveresponse:response]; }

19 ios SSL Kill Switch Intercepting calls to certificate validation HookedNSURLConnectionDelegate : NSObject... - (void)connection:(nsurlconnection *)connection willsendrequestforauthenticationchallenge:(nsurlauthenticationchallenge *)challenge { // Do not forward... Accept all certificates instead if([challenge.protectionspace.authenticationmethod isequaltostring:nsurlauthenticationmethodservertrust]) } { } NSURLCredential* servercred; servercred = [NSURLCredential credentialfortrust:challenge.protectionspace.servertrust]; [challenge.sender usecredential:servercred forauthenticationchallenge:challenge];

20 ios SSL Kill Switch DEMO

21 Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox Testing ios Certificate Pinning Within an ios App Intercepting the App's Traffic: MobileSubstrate Extension Android Certificate Pinning Within an ios App Intercepting the App's Traffic: Custom JDWP Debugger Conclusion

22 Certificate Validation on Android Certificate Validation and Pinning on Android Device trust store cannot be modified by user until Android 4.0 (ICS) Certificate pinning can be implemented using an App specific trust store Common methods of certificate pinning outlined on Moxie s blog is- broken- in- ssl- but- your- app- ha

23 Certificate Pinning on Android Sample implementation private InputStream makerequest ( Context context, URL url ) { // Load custom Trust Store from a file AssetManager assetmanager = context.getassets(); InputStream keystoreinputstream = assetmanager.open("yourapp.store"); KeyStore truststore = KeyStore.getInstance("BKS"); truststore.load(keystoreinputstream, "somepass".tochararray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init(truststore); // Init an sslcontext with the custom Trust Store SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(null, tmf.gettrustmanagers(), null); // Use this sslcontext for subsequent HTTPS connections HttpsURLConnection urlconnection = (HttpsURLConnection)url.openConnection(); urlconnection.setsslsocketfactory(sslcontext.getsocketfactory()); } return urlconnection.getinputstream();

24 Bypassing Certificate Pinning Many possible ways to implement a bypass Decompile/Patch/Recompile/Resign/Sideload Custom VM/ROM with hooks built in Native code hooking (Mulliner) or native code debugger (gdb, vtrace) JDWP debugger

25 Bypassing Certificate Pinning Many possible ways to implement a bypass Decompile/Patch/Recompile/Resign/Sideload Custom VM/ROM with hooks built in Native code hooking (Mulliner) or native code debugger (gdb, vtrace) JDWP debugger

26 Java Debug Wire Protocol What is the Java Debug Wire Protocol (JDWP)? Standard Java debugging tools Programmatic debugging through Java APIs Java Debug Interface (JDI) Python bindings available through AndBug

27 Java Debug Wire Protocol What can we do with a JDWP debugger? Normal debugging tasks: set breakpoints, step, etc. Once suspended via a JDI event we can: Get the current thread, frame, frame object, local variables and arguments references Load arbitrary classes, instantiate Objects, invoke methods, get and set local variables and arguments values And more

28 JDWP - Certificate Pinning Bypass Many possible bypass implementations using JDWP debugger Three ideas explored: 1. Custom ClassLoader which loads modified system classes 2. Use DexMaker to generate proxy classes and replace instances with proxy class instances 3. Breakpoint on set of SSLSocketFactory and replace it with another SSLSocketFactory configured with an all- trusting TrustManager

29 JDWP - Certificate Pinning Bypass I Method 1: Custom ClassLoader to load hooked system classes Break on anything Set APK ClassLoader to a custom ClassLoader Custom ClassLoader.loadClass() modifies HttpsURLConnection upon loading Continue execution (may need to restart Activity)

30 JDWP - Certificate Pinning Bypass I Problems with method 1 Might work in Java but not in Dalvik Class loading is different, defineclass() simply not supported User defined class loaders are not currently allowed to modify classes loaded from the $BOOTCLASSPATH Detailed in code comments in /dalvik/vm/oo/class.cpp

31 JDWP - Certificate Pinning Bypass II Method 2: Object substitution with proxied copy Break after instantiation of HttpsURLConnection Use DexMaker to dynamically generate proxy class for HttpsURLConnection Replace HttpsURLConnection object with one created using the generated proxy class Continue execution

32 JDWP - Certificate Pinning Bypass III Method 3: TrustManager substitution Break on HttpsURLConnection.setSocketFactory() Replace socket factory local variable with one created using an all- trusting TrustManager Continue execution

33 Android SSL Bypass Simple implementation for first version Using Method 3 right now Future versions will explore method 2 for further extensibility

34 Android SSL Bypass DEMO

35 Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox Testing ios Certificate Pinning Within an ios App Intercepting the App's Traffic: MobileSubstrate Extension Android Certificate Pinning Within an ios App Intercepting the App's Traffic: Custom JDWP Debugger Conclusion

36 Summary ios SSL Kill Switch Tested on ios 4.3 and ios ssl- kill- switch Android SSL Bypass Tool Tested on Android and ssl- bypass Comments / Ideas? [email protected] [email protected]

37 The End QUESTIONS?

38 Reference Material Certificate pinning on ios ssl- pinning- for- cocoa- touch/ MobileSubstrate Certificate pinning on Android is- broken- in- ssl- but- your- app- ha DEXMaker isec Partners on GitHub